Application Security (17)

Windows Exploit Countermeasures: Part 1

Modern Windows systems are equipped with numerous robust exploit defenses. This post will concentrate on Windows exploit countermeasures present on Windows systems up to and including Windows 7 32-bit.

An Overview of File Inclusion Vulnerabilities

Web applications are used for a wide range of purposes by individuals and different organizations. These web applications provide multiple benefits to their users as well as various functionalities. They are, nonetheless, vulnerable to malicious adversaries’ attacks. The exploitation of some of these security weaknesses can impede the organization’s key business processes, resulting in significant financial losses. As a result, it is very important to identify and fix such vulnerabilities discovered in the web application. File inclusion vulnerabilities are one of the most common types of vulnerabilities. This article discusses the many forms of file inclusion vulnerabilities, as well as their consequences and how to protect against them.

API Security

A set of subroutine definitions, protocols, and tools for developing application software is known as an application programming interface (API). It represents a set of communication protocols between different software components. A good API makes it easy to create a software by supplying all of the necessary building components, which the programmer then assembles. A web-based system, operating system, database system, computer hardware, or software library may all have APIs. The API allows a programmer creating an application program to send a request to the operating system. The operating system then forwards the request to the appropriate software component, which completes the task and returns a response to the programmer.

Federated Identity Management and Single-Sign-On (SSO)

Employees in an organization are provided access to various resources and applications in order to perform their day-to-day responsibilities. Instead of requiring the user to create a different set of credentials to access each application or different resources, the organization employs SSO (Single-Sign-On) and federated identity management technologies which results in smoother access to these resources/applications. These technologies when implemented correctly, increase functionality and protect organization’s valuable assets. This article covers the federated identity management concepts, different frameworks used for its implementation, and the security challenges related to it.

Open Redirection

Occasionally, programs must redirect visitors to a different page. The intended functionality of that would be to redirect the user to a desired website, but it’s quite easy for attackers to mess this up when their user input might impact the redirections’ outcome. In other terms, an open redirect occurs when a website allows for a redirection to an unexpected page.

Broken Access Control (BAC)

Users cannot behave beyond their specified privileges because access control imposes numerous policies. Hence, unauthorized disclosure of information, alteration or loss of any or all data, or executing a corporate activity outside of the user’s bounds are all common outcomes of failures and may lead to Broken Access Control.

Introduction to Web Application Firewall (WAF)

Web application firewalls are some of the most recent developments in the field of firewall technology (WAFs). In this blog post, we will define what a web application firewall is, how it functions. We will also cover some of the benefits of using a web application firewall.

Content Discovery - Part 2

There are many ways to discover hidden content on websites. In this blog post, we are going to manually find valuable information about websites with the help of:

Content Discovery - Part 1

The first stage in attacking software is obtaining and analyzing critical information about it in order to acquire a better grasp of what you’re dealing with. We can find information either manually, with the help of automated tools, or with Open-Source Intelligence (OSINT).

Introduction to Threat Modeling

Every organization has several valuable assets that must be safeguarded. The assets can be tangible, such as computers, laptops, and network equipment, or intangible, such as information, data, programs, and so on. As the number of cyber-attacks increases around the world, the focus on cyber security is shifting from reactive to proactive methods. A proactive cybersecurity strategy is a preventative strategy that seeks to discover any vulnerabilities and threats surrounding our assets before they have an opportunity to compromise the security of our assets. Threat modeling is one of the most widely utilized proactive methodologies in the creation of secure systems and applications. This article will explain what threat modeling is and how you can leverage it to improve your organization’s security posture.

Develop Secure Java Applets: A Step-by-Step Guide

What if a malicious code takes over all of your local resources while you’re working on a Java applet? This is something that should never happen.

SDLC Software Development Life Cycle

SDLC, or Software Development Life Cycle, is a set of procedures for developing software applications. These steps break the development process down into tasks that can be assigned, completed, and measured.

Cross-Site Request Forgery

Cross-site request forgery (CSRF) is a type of attack that allows an attacker to do unauthorized actions on behalf of a user. A CSRF attack happens when a malicious site sends a request to a victim site, causing the victim site to perform an action intended by the attacker. This can be used to steal information, such as login passwords, or to take acts on the user’s behalf, such as moving funds from their account.

Input Validation

When developing online apps that accept any sort of user input, you must ensure that input validation is performed. To begin with, you should never allow a user to include script the input field. However, this does not totally fix the problem; an attacker still has numerous smart alternatives at his or her disposal.

Securing application cookies

Sensitive data storage and safety in online applications is a major vulnerability. Attackers employ a variety of techniques to get illegal access to the data stored in your system (which is also referred to as “client-side”) and processed by apps. In this blog post, we are going to explain what a cookie is, design vulnerabilities, and possible methods of preventing cookie attacks.

Introduction to STRIDE as a Threat Modelling Framework

Threat modelling is the process of identifying potential threats to a system and figuring out how to mitigate or eliminate those threats. The goal is to make the system more secure and resilient against attacks. Threat modelling can be done at different levels, from high-level overviews down to very detailed analysis.

OWASP Top 10 Web Application Vulnerabilities

Web applications are created with a major emphasis on functionality, not security. As a result of this focus, malicious actors exploit vulnerabilities to steal/modify sensitive information or carry out unauthorized activities. Security always comes as an afterthought in the form of patches to deal with security flaws in web applications.